Information Technology Reference
In-Depth Information
Informative Types and Effects
for Hybrid Migration Control
Ana Almeida Matos and Jan Cederquist
Instituto de Telecomunicacoes (SQIG) and Instituto Superior Tecnico,
Lisbon, Portugal
{ ana.matos,jan.cederquist } @ist.utl.pt
Abstract Flow policy confinement is a property of programs whose de-
classifications respect the allowed flow policy of the context in which
they execute. In a distributed setting where computation domains en-
force different allowed flow policies, code migration between domains
implies dynamic changes to the relevant allowed policy. Furthermore,
when programs consist of more than one thread running concurrently,
the same program might need to comply to more than one allowed flow
policy simultaneously. In this scenario, confinement can be enforced as
a migration control mechanism. In the present work we compare three
type-based enforcement mechanisms for confinement, regarding precision
and e ciency of the analysis. In particular, we propose an e cient hybrid
mechanism based on statically annotating programs with the declassifi-
cation effect of migrating code. This is done by means of an informative
type and effect pre-processing of the program, and is used for supporting
runtime decisions.
1 Introduction
Research in language based security has placed a lot of attention on the study of
information flow properties and enforcement mechanisms [1]. Information flow
security regards the control of how dependencies between information of differ-
ent security levels can lead to information leakage during program execution.
Information flow properties range in strictness from pure absence of information
leaks, classically known as non-interference [2], to more flexible properties that
allow for declassification to take place in a controlled manner [3].
Separating the problems of enabling and of controlling flexible information
flow policies paves the way to a modular composition of security properties that
can be studied independently. Here we consider a distributed setting with run-
time remote thread creation, and the problem of ensuring that declassifications
that are performed by mobile code comply to the flow policy that is allowed at
the computation domain where they are performed. We refer to this property as
flow policy confinement , and treat it as a migration control problem [4,5].
An illustrative scenario could be that of a set of personal mobile appliances,
such as smartphones. Due to their inter-connectivity (web, Bluetooth), they
form networks of highly responsive computing devices with relatively limited
 
Search WWH ::




Custom Search